Etusivu Privacy Statement

Privacy Statement

1. Introduction – Data protection in the Kilpilahti Area

This privacy statement describes how Neste Corporation processes your personal data when you work for Neste Corporation in Kilpilahti or visit the Kilpilahti industrial area. We aim to ensure the safety and smooth operation of the area, which involves processing your personal data. This statement explains what data we collect, for what purposes, to whom it is disclosed, and what your rights are regarding your data.

Neste Corporation is the main operator in the Kilpilahti area and has business needs to process your personal data, as well as statutory obligations to ensure the area’s safety and compliance with regulations, for example, according to chemical, occupational safety, and building legislation. This requires us to know who is moving within the area.

Other operators also operate in the Kilpilahti area (such as Borealis Polymers Oy, Oy Linde Gas Ab, Aurora Kilpilahti Oy, BEWI RAW Oy, Ineos Composites Finland Oy, Kilpilahden Voimalaitos Oy, Veolia Services Suomi Oy, Securitas, VR Transpoint, Ashland Finland Oy, Gasum Oy, Revanssi Oy, OMS Shipping, Finnpilot Pilotage Oy, Finnish Customs), each acting as their own data controller for their employees, contractors, and operations.

2. Data Controller and Contact Information

Data Controller: Neste Corporation Keilaranta 21 FI-02150 Espoo, Finland

Companies in the Kilpilahti area act as independent data controllers.

Contact information for privacy inquiries: If you have questions about the processing of personal data or wish to exercise your rights, you can submit a request through our website: https://www.neste.com/privacy

If your matter concerns personal data processing performed by an entity other than Neste, please contact that specific entity.

3. Purposes and Legal Basis for Processing Personal Data

We process your personal data for several purposes within the Kilpilahti area. Processing is always based on one of the following legal grounds:

  • Legal Obligation: Processing is necessary to comply with statutory obligations (e.g., Contractor’s Liability Act, Occupational Safety and Health Act, Chemicals Act, Building Legislation, Tax Administration Act, Tax Procedure Act, Act on Tax Numbers and Tax Number Register, Posted Workers Act, Aliens Act).
  • Contract: Processing is necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract.
  • Legitimate Interest: Processing is necessary for the purposes of the legitimate interests pursued by Neste or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms (e.g., area safety, property protection, enabling work in Kilpilahti).
  • Consent: In certain cases, where there is no other basis for processing your personal data, we will ask for your consent to process the data.

Purposes of personal data processing in the Kilpilahti area:

Data processed through the contractor portal:

  • Fulfilling Contractor’s obligations: We ensure that companies operating in the area (for Neste) and their employees comply with statutory obligations, such as verifying employees’ right to work and tax numbers.
  • Processing and managing access and work permits: We process data to grant and manage access and permits to the area, including exceptional permit processes.
  • Tax reporting: We report data to the Tax Administration in accordance with legal requirements.
  • Managing qualifications and training: We ensure that individuals working in the area have the necessary qualifications and training to ensure safe work.
  • Maintaining construction site and employee registers: We maintain a register of construction sites and the individuals working on them.
  • Communication: We process data to enable communication with those working in the area.
  • Corporate security and occupational safety: We process data to ensure the general safety of the area and compliance with occupational safety legislation.

Data processed through access control systems and camera surveillance:

  • Area safety and protection: We prevent unauthorized access to Neste’s areas and facilities. Camera surveillance supports this purpose.
  • Real-time area monitoring: To identify individuals and vehicles in the area and maintain a real-time list of their presence.
  • Ensuring workplace safety: We ensure that individuals moving in the area have the right and necessary permits to be present and work in the area. Camera surveillance supports ensuring the safety of individuals moving in the area.
  • Camera surveillance for crime prevention and investigation: Camera surveillance recordings support area security, property protection, and the prevention and investigation of potential crimes.
  • Incident investigation: We use access control and camera surveillance data in the investigation of possible misuse, fraud, or crimes.
  • Invoice verification: Access control data may be used for invoice verification.
  • Supporting emergency services operations: We process necessary personal data to support the operations of Kilpilahti area emergency services and manage emergencies, ensuring a quick and effective response to guarantee safety.

Maintaining a drug-free work environment and ensuring occupational safety:

  • We ensure that individuals working in Neste’s area are fit for work and capable of working safely, which promotes the safety of both themselves and other employees. We prevent the use of intoxicants and the risks they cause in the workplace. We fulfill the legal and Neste’s requirements related to substance control at the workplace.

Operational efficiency:

  • Through systems, we enable the smooth operation and cooperation in the Kilpilahti area.

Preventing and investigating misuse: We process personal data to detect, prevent, and investigate possible misuse, such as theft, fraud, property damage, or other criminal acts. This supports property protection and compliance with rules in the area.

4. Categories of Personal Data Processed

We collect and process the following categories of personal data in the Kilpilahti area:

  • Basic information: First and last name, date of birth, personal identity number or passport number, nationality, address, photograph, signature.
  • Contact information: Email address, phone number.
  • Work and qualification-related information: Employer company name, profession, position, curriculum vitae (CV), professional qualifications, training programs and their completions (e.g., safety and fire safety cards), work permit and residence permit (if necessary), employment contract.
  • Service usage data: User ID (can be an email address), password (encrypted).
  • Access control data: Access card number, access rights, dates of granting and returning access rights, information on entering and leaving the area (timestamps, access point), vehicle registration number.
  • Information related to authority reporting: Finnish tax number (for identification purposes at construction sites as required by law), information about the employer and employment relationship.
  • Video surveillance material: Recordings from camera surveillance.
  • Log data: Technical log data generated from service and system usage (e.g., IP address, login times, system events) to ensure the functionality and data security of the service and systems.
  • Information related to sobriety: Data from breathalyzer tests or other substance test results, when monitoring is based on law or the nature of the work task and is necessary to ensure occupational safety. This data is processed with particular care and only to the extent permitted by law and necessary.
  • Information related to misuse investigations: Information necessary for investigating and verifying suspected misuse, fraud, theft, or other similar events, including any information from clarification requests or reports.

The personal data collected and processed varies according to the role and purpose of use, and not all of the above information is collected from every data subject.

5. Data Sources

Personal data is primarily collected from the following sources:

  • From your employer/contracting company: Your company may submit and update its employees’ data.
  • From access control systems and camera surveillance: Data is collected as you move within the area.
  • From other data controllers, i.e., companies in the area: If data exchange is necessary for the operations of another company or to fulfill a statutory obligation, and there is an appropriate legal basis for it.
  • From authorities or public sources: For example, information necessary to verify the right to work.
  • From breathalyzer devices and other similar testing devices: Data is processed in connection with occupational safety-related inspections.
  • Notifications and reports: Information on suspected misuse or other deviations obtained, for example, through reporting channels or monitoring systems.

6. Recipients of Personal Data and Data Disclosure

We disclose personal data only when necessary and within the limits permitted by law to the following parties:

  • Within Neste: Access to data is limited to individuals and teams whose job duties require it (e.g., corporate security, project managers, site supervisors, implementation managers, safety coordinators).
  • Service providers: We use external service providers who provide contractor portal and access control systems. They process data on Neste’s behalf and according to its instructions.
  • Authorities: We are legally obliged to disclose data to authorities upon their request or in connection with regular reporting. Such authorities include, for example: the Tax Administration, Regional State Administrative Agency (AVI), Customs, Police, Border Guard. Regular data disclosures are made to several authorities; especially the Tax Administration regularly requests data on contractors and their employees.
  • Other Kilpilahti area companies: Data may be shared with other companies operating in the Kilpilahhti area when there is an appropriate basis for sharing, for example, to ensure the common safety of the area or for business needs. This sharing is limited based on necessity, and each company is an independent data controller for its own data.
  • Other partners: Data may be disclosed to other partners for the provision of services (e.g., occupational safety-related operators) if there is an appropriate legal basis for sharing.

Data transfers outside the EU/EEA: As a general rule, personal data is not transferred outside the European Union or the European Economic Area. However, if data is transferred outside the EU/EEA, Neste ensures an adequate level of data protection by using appropriate safeguards, such as standard contractual clauses approved by the European Commission.

7. Data Retention Periods

We retain your personal data only for as long as necessary for the purpose of processing or to fulfill statutory obligations.

Neste retains your personal data for at least the duration of the contractual relationship between Neste and its service provider, after which Neste re-evaluates the necessity of retaining the personal data. In certain situations, when acting as the main contractor at a construction site, Neste has an obligation to retain your basic data for at least six years after the completion of the construction site.

In any case, your personal data will be deleted at the latest 10 years after the end of the contractual relationship between Neste and its service provider, unless there is an overriding obligation for longer retention.

General retention policy: Personal data is retained for as long as necessary to fulfill the defined purposes.

Specific retention periods are:

  • Construction site personnel logs: Retained for 6 years after the closing of the construction site.
  • TA project data: Retained for 2-10 years depending on the nature of the data.
  • Maintenance data: Retained as required, meaning maintenance data is retained as long as the device or part is in use.
  • Safety and security data: Retained for the period required for security, compliance, and investigation purposes.
  • Access control data (access and working hours): Generally retained for 2 years.
  • Video surveillance material: Automatically deleted usually after 2 weeks – 1 month, unless the recording is needed for investigation or legal proceedings.
  • Information related to misuse investigations: Retained for as long as necessary to complete the investigation, for potential legal processes, or to fulfill statutory obligations.

8. Protection of Personal Data

We do our best to keep your data secure. Through continuous and active development, we ensure that your data remains safe.

Neste employs necessary technical and organizational security measures and procedures to protect your personal data from loss, misuse, alteration, or destruction.

All Neste employees and contractors are bound by a data security policy that includes more detailed instructions. Only individuals who need the data to perform their job duties have access to systems and applications that process personal data.

If electronic data is managed by a third party on behalf of Neste, Neste requires that third party to comply with comprehensive data security requirements.

If personal data is processed manually, it takes place in approved facilities. The facilities are protected by necessary physical safeguards, such as access control systems and surveillance cameras.

9. Data Subject Rights

You have the following rights regarding your personal data:

  • Right to access data: You can request confirmation of whether we are processing personal data concerning you and request access to that data.
  • Right to rectification: You can request that incorrect or incomplete personal data be corrected.
  • Right to erasure (“right to be forgotten”): You can request the deletion of your data from our systems if there is no longer a legal basis for processing the data. Please note that some data, such as data related to statutory obligations or security, may not be immediately deleted due to retention periods.
  • Right to restriction of processing: You can request the restriction of the processing of your data, in which case Neste can only store the data but not use it in other ways. This right applies in certain situations, for example, if you dispute the accuracy of the data.
  • Right to object to processing: You can object to the processing of your personal data based on Neste’s legitimate interest, on grounds relating to your particular situation. Please note that objecting may prevent access to Neste’s premises or services.
  • Right to lodge a complaint with a supervisory authority: If you suspect that the processing of your personal data violates data protection laws or that your rights have not been respected, you have the right to lodge a complaint with the national data protection authority (in Finland, the Office of the Data Protection Ombudsman).

Exercising your rights: You can exercise the above rights by contacting Neste. Requests should be made through Neste’s website: https://www.neste.com/privacy

If your matter concerns personal data processing performed by an entity other than Neste, please contact that specific entity.

Contact Neste’s Data Protection Officer: If you wish to contact Neste’s Data Protection Officer, you can use the following form: https://www.neste.com/fi-fi/tietosuoja/kysyttavaa-tietosuojasta

10. Special Provisions Regarding the Role of Kilpilahti Area Companies as Data Processors

In situations where another Kilpilahti area company acts as a personal data processor on behalf of the data controller through a service or other arrangement, the following applies:

The processing company processes personal data only in accordance with the data controller’s documented instructions, this statement, and applicable data protection legislation for the purpose of providing the service and fulfilling defined purposes. The processor ensures appropriate technical and organizational safeguards to secure personal data, ensures the confidentiality obligation of individuals processing personal data, assists the data controller in fulfilling its statutory obligations (such as implementing data subjects’ rights and responding to data security breaches), and upon termination of the contract, deletes or returns personal data according to the data controller’s instructions, unless otherwise required by law.

11. Changes to This Privacy Policy

This privacy policy will be updated as needed to reflect changes in personal data processing practices or legislation. We recommend checking the policy regularly on the kilpilahti.fi website.